The automotive industry has a history of embracing cutting-edge technologies. Far from just an engine and four wheels, now a vehicle can have as many as 50 computer systems operating and controlling a variety of features. While this surge in connectivity and autonomy has radically changed how people drive for the better, it also requires an urgent need for robust cyber security protocols.
Moreover, automotive manufacturers and retailers face a challenge with data security, especially when handling and processing personally identifiable information (PII). Failure to implement adequate data privacy protocols can, and does, result in large regulatory fines and loss of customer trust.
Within every aspect of the automotive sector, cyber security has transitioned from an optional feature to a fundamental component. It plays a crucial role in ensuring the safety and reliability of vehicles, the manufacturing and production processes, and the management of these operations.
The foremost imperative for any organisation is to acquaint itself with the data it processes and comprehend the regulatory implications associated with such activities
According to a recent report by Upstream Security, there was a 99% surge in incidents related to automotive cyber security between 2019 and 2020. By 2022, instances of automotive API attacks had skyrocketed by 380%, constituting 12% of the total recorded incidents, in spite of the advanced cybersecurity measures employed by OEMs. These threats concerning automotive cyber security encompass an extensive array of assaults, ranging from remote exploitations and data breaches to ransomware attacks and even the physical manipulation of vehicular components. As technological advancements persist, maintaining a high level of vigilance within the automotive sector to recognise and mitigate these threats remains paramount.
The impact of a cyber attack
Data breaches within the automotive sector have become more frequent, particularly involving well-known manufacturers and brands. Earlier this year there was a data leak of Toyota customers in Japan which was publicly available for a decade due to a simple technical error. Over two million customers had data exposed—that’s nearly the entire customer base which had signed up for Toyota’s main cloud service platforms since 2012.
Then, prominent automotive retailer Arnold Clarke was blackmailed by hackers after suffering a data breach. It was reported that customers had their addresses, passports and national insurance numbers leaked on the dark web following a cyber attack on the car retail giant.
More recently, Tesla disclosed a data breach impacting roughly 75,000 people. Notably, this is the result of a whistle-blower leak rather than a malicious cyber attack. The compromised information includes names, contact information, and employment-related records associated with current and former employees as well as customer bank details, production secrets, and customer complaints regarding driver assistance systems.
The examples mentioned above merely scratch the surface of a vast and intricate issue, illustrating how various enterprises within the automotive sector are under threat. These attacks are expected to have adverse repercussions in several ways.
In the event of a data breach at the manufacturer or automotive retailer, the sheer volume of customer PII at risk could severely erode consumer trust in the brand. Furthermore, the compromise of sensitive business data, including intellectual property, financial information, and future strategies, poses a significant threat, potentially resulting in the loss of any competitive edge the company may have held.
On top of that, the financial damage from a cyberattack can be expensive, with latest estimates stating the average cost of a data breach is £3.4m (US$4.2m). Once a successful attack occurs, conducting audits and patching the weak areas can add costs not initially factored by the company.
In addition, an automotive company that becomes a target of a cyber attack or experiences a data breach is likely to encounter financial penalties under the General Data Protection Regulation (GDPR) and the European cyber security regulations. These regulations notably include the Network & Information Systems (NIS) Directive, currently transitioning to the NIS2 Directive, which is set to establish an extended EU cyber security framework encompassing the road transport industry as well. Moreover, the regulatory body is expected to conduct an inquiry into the company’s adherence to regulatory protocols, identifying and underscoring any instances where the company falls short of meeting the prescribed requisites.
Data, privacy and connected cars
Another growing element within the car industry is the realm of the connected car market which is gaining momentum. It is projected that by 2028, its value will soar to nearly US$192bn. Even conventional non-electric vehicles now embody an extensive array of microchips which oversee a wide volume of functions, ranging from entertainment and air conditioning systems to critical operations like collision avoidance, lane assistance and braking.
Naturally, as computing power and usage increases within these vehicles, so does the amount of data. Modern day vehicles are more akin to computers with wheels. These vehicles also have an array of intelligent sensors in key areas to collect a plethora of data which analyse tyre temperatures, speed, GPS, and oil and water levels; some cars even monitor the heartrates of drivers. All this information is then consumed by the manufacturers, which can monitor servicing intervals, product quality and performance. Should any of this data not be adequately anonymised or protected it will present a potential target for cyber criminals.
Data security best practises
So how can the automotive industry continue business operations effectively while still maintaining data security for customers?
The foremost imperative for any organisation is to acquaint itself with the data it processes and comprehend the regulatory implications associated with such activities. It’s possible that sensitive information is being collected either in an insecure manner or without genuine necessity. Once the composition of the company’s data inventory is grasped, it becomes crucial to identify what data holds sensitivity, what necessitates safeguarding, and what is superficial.
The capacity to precisely locate data at any given time is paramount. Understanding the significance of this within internal systems constitutes a pivotal stride towards ensuring data security. Companies must initiate protection for any instance of sensitive data right from the initial interaction and sustain this safeguarding throughout its complete lifecycle.
Techniques like tokenisation and pseudonymisation, which obfuscate data, emerge as potent tools in the battle for data privacy
In today’s digital era, simply depositing masses of data on a password-protected cloud server or relying solely on perimeter defences is insufficient; these measures represent the bare minimum. What truly stands out as necessary for safeguarding sensitive data is a data-centric security strategy. This entails fortifying the data itself rather than solely focusing on its container. Techniques like tokenisation and pseudonymisation, which obfuscate data, emerge as potent tools in the battle for data privacy.
These methods operate by substituting regulated data with a ‘token’ to facilitate data analysis for marketing or data science applications. The exceptional aspect is that tokenisation renders the information valueless to cyber criminals and unauthorised individuals, as no data remains in plaintext, thus eliminating the financial incentive for a cyber attack on the company.
By collaborating with a proficient technology partner offering uninterrupted data identification, categorisation, and defence across all environments, organisations within the automotive industry can establish a robust stance for all data that is processed. After all, it’s not just the safety of vehicles that automakers are responsible for in this new, data-driven world.
About the author: Erfan Shadabi is a Cyber Security Expert at comforte AG